Method and base chip for monitoring the operation of a microcontroller unit

ABSTRACT

To enable a method and a base chip ( 200 ) for monitoring the operation of at least one microcontroller unit ( 300 ) that is intended for at least one application and is associated with a system ( 100 ) to bc further developed in such a way that the operation of the microcontroller unit ( 300 ), which is associated with a serial system, is monitored in such a way as to enable faulty operation, and particularly faulty operation that discharges the battery, to be reliably prevented, it is proposed that the microcontroller unit ( 300 ) has at least one non-volatile memory area ( 10 ) associated with it, the memory area ( 10 ) can be read from and/or written to by the microcontroller unit ( 300 ), and at least one set of statistics, and in particular a set of fault statistics, relating to the operation of the microcontroller unit ( 300 ), can be kept by means of the memory area ( 10 ).

The present invention relates to a method of monitoring the operation of at least one microcontroller unit that is intended for at least one application and is associated with a system.

The present invention further relates to a base chip, and particularly a system base chip, for monitoring the operation of at least one microcontroller unit that is intended for at least one application, and to an associated system, and particularly a control system.

In modern-day control units, in automobile electronics for example, it is no longer usual for use to be made of permanently preprogrammed microcontrollers because the fixed preset program means that modifications cannot then be made in the course of ongoing volume production or by the end-customer. Motor-vehicle manufacturers are therefore increasingly going over to the practice of using so-called volatile memories or flash memories in the microcontrollers; volatile memories of this kind allow the program code to be overwritten at any time, which can be done both in production and in a repair shop, as part of an inspection say.

Something that is normally felt to be very much of a disadvantage with flash memories of this kind is the fact that in principle the possibility exists of the program being partly or even totally lost during the life of the motor-vehicle, and hence that the burnt-in software may crash at some random point. Program crashes of this kind may then mean that a control unit can no longer be changed properly to a state in which its current consumption is at a reduced level. Hence a vehicle becomes subject to a sustained, raised current consumption even in the parked state, i.e. with the ignition switched off, and this discharges the vehicle's battery and, if the worst comes to the worst, makes the vehicle impossible to start.

Because all the control units are interconnected in series, the seriousness of a fault of the kind described above may become very great. Via the interconnections, a faulty control unit with a defective flash memory may cause the entire motor vehicle to be permanently “awake” and in this way may give rise to an extreme power consumption. Substantially the same problem is caused by all the other faults of cyclic occurrence that cause constant resetting of the control unit, such as a short-circuit in the supply (producing an undervoltage caused by the switched on of a load, etc.) or the like.

In the prior art, attempts are now being made to detect the system behavior by means of a so-called “watchdog” (a configurable timer having a clock-signal derived from an independent source) within the control unit. What the term “watchdog” is generally understood to mean in this connection is a technique that is used to monitor devices, connections or software cyclically. If a piece of software is no longer following the ordered path laid down by the software, the watchdog is intended to reset the microcontroller and in this way to restore the running of the program to its planned course.

The watchdog is however powerless to help if what repeatedly occurs is that there is a crash of the software or a reset, due say to an undervoltage, at some random point in the program, the watchdog or undervoltage detector resets the control unit, and it then crashes or causes an undervoltage again at a later point in time at the same point in the software. What is produced in this way is an endless loop from which the control unit is able to escape.

Taking the disadvantages and shortcomings described above as a point of departure and with due allowance for the prior art outlined, it is an object of the present invention so to further develop a method of the kind detailed in the first paragraph and a base chip of the kind detailed in the second paragraph that the operation of a microcontroller unit that is intended for an application and is associated with a serial system of the above kind is monitored, so that faulty operation, and particularly faulty operation that causes battery discharge, can be reliably avoided.

This object is achieved by a method having the features specified in claim 1 and by a base chip having the features specified in claim 5. Advantageous embodiments and useful refinements of the present invention are described in the respective sets of dependent claims.

The present invention is therefore based not only on providing a method of monitoring but also on providing a system chip giving fault-statistics support. For this purpose it is proposed, under the teaching of the present invention, that at least one non-volatile memory area that allows the application software to keep fault statistics be provided in the application and in particular in the system chip.

This memory area should advantageously be arranged outside the microcontroller and should also have an independent supply, so that even short-circuits in the supply voltage to the microcontroller will not cause a loss of the statistical data that has been logged. An independently supplied memory area of this kind also allows the microcontroller to make use in intervening periods of a planned mode of operation in which there is no current supply (a so-called “sleep mode”), without losing the statistical data.

In a particularly advantageous refinement of the present invention, write access to the memory area is only permitted if the system starts again after a reset process. In this way the possibility can be ruled out of the memory area being accidentally overwritten in operation by, say, faulty software. Read access on the other hand should always be possible, to allow a system diagnosis to be undertaken at any time.

In both the method and the base chip according to the present invention, it is preferably possible for the cause of a reset event to be detected and made available to the microcontroller unit when required. In this way, different reset events can be detected and can be dealt with separately.

If for example the watchdog times out due to a faulty volatile memory, the microcontroller is notified of this reset event and the application software stores this information in the non-volatile memory area that is provided in accordance with the invention. For each reset event of this kind, the software may for example increment this fault memory and, when some given count is reached, may no longer start normally but may go to a fail-safe state in which the current consumption is low.

In a particularly inventive embodiment, the use of at least one S[ystem] B[ase] C[hip] allows both the voltage supply to the microcontroller unit and also the watchdog and the reset hardware to be provided with undervoltage detecting facilities. Within such system base chips that are permanently supplied by the battery, it is easy for the prescribed memory area to be implemented in the form of a R[andom] A[ccess] M[emory] because voltage is available constantly in this case (giving a cost benefit over an E[lectrically] E[rasable] P[rogrammable] R[ead] O[nly] M[emory]).

The detection of the reset event may also advantageously take place in the S[ystem] B[ase] C[hip] and it may be stored there, because the S[ystem] B[ase] C[hip] is itself responsible for checking the system reset. Hence, the system base chip may also, in an optimum way, perform the locking of the memory bits in the non-volatile memory area, because the S[ystem] B[ase] C[hip] itself checks the starting of the system and can block off the memory area after a successful start.

In accordance with the present invention, all the components required for developing a fail-safe system are available to the user. What is particularly advantageous is the flexibility of the present approach, because there are no fixed preset automatic functions that have to be incorporated in the S[ystem] B[ase] C[hip]. This allows the safety scheme for an application to be adapted and adjusted in the optimum manner and to be defined and/or scaled by the user in any desired way.

Finally, the present invention relates to the use of a method of the kind described above and/or of at least one base chip of the kind described above for monitoring the operation of a microcontroller unit intended for at least one application, in automobile electronics and particularly in the electronics of motor vehicles.

As has already been described above, there are various possible ways in which the teaching of the present invention may advantageously be embodied and refined. On the one hand, reference can be made in this connection in particular to the claims dependent on claims 1 and 5, and on the other, further aspects, features and advantages of the present invention are apparent from and will be elucidated with reference to the illustrative embodiment shown in FIG. 1 and described hereinafter.

In the drawings:

FIG. 1 is a block diagram of an embodiment of system according to the present invention having a base chip and a microcontroller unit.

Shown diagrammatically in FIG. 1 is a control system 100 that, as well as a microcontroller unit 300 having a supply unit 310 (providing the VDD supply), a reset unit 320 and an I[nput]/O[utput] module 330, also has a so-called S[ystem] B[ase] C[hip] 200 for monitoring the operation of the microcontroller unit 300, the said microcontroller unit 300 being intended for an application.

For this purpose, the system chip 200 has, amongst other things, a non-volatile memory area 10 (=a “general purpose memory”) by means of which fault statistics relating to the operation of the microcontroller unit 300 can be produced and logged. The system chip 200 permits write access to the freely programmable bits of the memory unit 10 only while the system 100 is starting, in order to prevent faulty write accesses from occurring in operation. Read access to the freely programmable bits of the memory unit 10 on the other hand is always possible.

Because the system chip 200 allows a distinction to be made between different reset events and the different events to be made accessible to the application controller 300, the system chip 200 has an information unit 20 (for reset source information) that is provided to allow for different reset events, and a reset unit 40 (for system resets) that is connected to the microcontroller unit 300 by a connection 42 (going to the reset unit 320 of the microcontroller unit 300).

To allow information, and particularly fault statistics data, to be exchanged, the memory area 10 and the information unit 20 have inserted in front of them an interface unit 30 (feeding the I[nput]/O[utput] module 330 of the microcontroller unit 300).

As is also apparent from what is shown in FIG. 1, the memory area 10 and a microcontroller supply unit 50 that is connected to the microcontroller unit 300 by a connection 52 have permanently associated with them at least one battery unit 400. Whereas the memory bits in the memory unit 10 that are available to the application receive a permanent supply from the battery 400, the microcontroller supply unit 50 can be switched on and off by means of a switch 54, thus enabling a temporary energy supply to be associated with the microcontroller unit 300 via the microcontroller supply unit 50 (supplying the VDD supply unit 310 of the microcontroller unit 300).

So, to sum up, it can be said that the system base chip 200 shown in FIG. 1 is intended to detect and track cyclic fault situations in E[lectronic] C[ontrol] U[nits] to prevent any sustained high current consumption by the control system 100 from being caused by cyclic fault situations of this kind.

Certain bits (=so-called “general-purpose bits”) in a memory unit 10 forming part of the system base chip 200, which bits have a continuous supply, then allow the above-mentioned fault events to be stored using the application software and the statistical information thereby obtained to be kept available, notably even if there is (substantially) no power supply to the application controller 300 due to low-energy operation or failure.

In this connection, a specifically provided log or register in the system base chip 200 makes it possible to differentiate between the different fault events and the different cyclic problems to be tracked in this way. If a user-defined threshold is exceeded, the application can then, in accordance with the invention, decide not to (re)start but to go straight to a low-energy mode.

LIST OF REFERENCE NUMERALS

-   100 System, in particular a control system -   10 Memory area -   20 Information unit -   30 Interface unit -   40 Reset unit -   42 Connection between reset unit 40 and microcontroller unit 300 -   50 Microcontroller supply unit -   52 Connection between supply unit 50 and microcontroller unit 300 -   54 Switch of supply unit 50 -   200 Base chip, in particular a system base chip -   300 Microcontroller unit, in particular an application     microcontroller -   310 Supply unit for microcontroller unit 300 -   320 Reset unit for microcontroller unit 300 -   330 I[nput]/O[utput module of microcontroller unit 300 -   400 Battery unit 

1. A method of monitoring the operation of at least one microcontroller unit (300) that is intended for at least one application and is associated with a system (100), characterized in that the microcontroller unit (300) has at least one non-volatile memory area (10) associated with it, the memory area (10) can be read from and/or written to by the microcontroller unit (300), and at least one set of statistics, and in particular a set of fault statistics, relating to the operation of the microcontroller unit (300), can be kept by means of the memory area (10).
 2. A method as claimed in claim 1, characterized in that the memory area (10) is permanently supplied by at least one battery unit (400).
 3. A method as claimed in claim 1 or 2, characterized in that, in relation to the operation of the microcontroller unit (300), a distinction can be made between different reset events and in that these different reset events can be made accessible to the microcontroller unit (300).
 4. A method as claimed in any of claims 1 to 3, characterized in that the memory area (10) can be read from at any time and/or can be written to only after a reset or while the system (100) is restarting.
 5. A base chip (200), and particularly a system base chip, for monitoring the operation of at least one microcontroller unit (300) that is intended for at least one application, characterized by at least one non-volatile memory area (10) that can be read from and/or written to by the microcontroller unit (300), and by means of which at least one set of statistics, and particularly at least one set of fault statistics, can be produced relating to the operation of the microcontroller unit (300).
 6. A base chip as claimed in claim 5, characterized by at least one information unit (20) that is provided to allow for different reset events, at least one reset unit (40) for resetting the microcontroller unit (300), which reset unit (40) is connected (42) to the microcontroller unit (300), and at least one supply unit (50) that is connected (52) to the microcontroller unit (300).
 7. A base chip as claimed in claim 6, characterized in that the memory area (10) and the supply unit (50) are permanently associated with at least one battery unit (400), and in that the microcontroller unit (300) has at least one temporary energy supply associated with it via the supply unit (50).
 8. A base chip as claimed in any of claims 5 to 7, characterized in that the memory area (10) and/or the information unit (20) have inserted in front of them at least one interface unit (30) for the exchange of data with the microcontroller unit (300).
 9. A system (100), and particularly a control system, characterized by at least one microcontroller unit (300) intended for at least one application and by at least one base chip (200) as claimed in any of claims 5 to
 8. 10. Use of a method as claimed in any of claims 1 to 4 and/or of at least one base chip (200) as claimed in any of claims 5 to 8 for monitoring the operation of at least one microcontroller unit (300) intended for at least one application, in automobile electronics and in particular in the electronics of motor vehicles. 